GDPR – 100 Days To Go. Are You Ready?

GDPR comes into force in the UK on 25 May 2018. Are you ready? And more importantly, are you compliant?

UK Data Protection Laws Overhauled

Some would say that updating the data protection laws is long overdue, and they’d be right. Why? Because in an age of a vast array of extensive and advancing digital technologies, our personal data is becoming more accessible (and virtual) than ever before.

The aim of the new regulation is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.

Tech Talk: The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. (Source: www.eugdpr.org).

GDPR affects the collection & processing of data online & off line

What’s The Plan?

Essentially, the new regulations seek to give individuals more control over what happens to their personal information. It will:

enable UK citizens to ask for personal data, or information posted when they were children, to be deleted

give people more control over their data, require more consent for its use, and prepare Britain for Brexit

make it simpler for people to withdraw consent for their personal data to be used

require firms to obtain “explicit” consent when they process sensitive personal data. The changes mean it will be harder for businesses and organisations to obtain consent and easier for individuals to withdraw

expand personal data to include IP addresses, DNA and small text files known as cookies

let people get hold of the information organisations hold on them much more freely

make re-identifying people from anonymised or pseudonymised data a criminal offence

How Does That Apply In The Real World?

Here are some examples, with the third example quite possibly having the biggest and most significant impact on present processes used by businesses and organisations whether that consent is obtained via their website (or other on-line platforms), eNewsletter marking or via a paper form.

any firm that holds your personal data, from your name to your DNA, you’ll be able to ask them to delete it

if you worry about embarrassing social media posts lingering online for years, you will soon have the right to ask for them to be removed

consent requires a positive opt-in. Businesses and organisations MUST NOT use pre-ticked boxes or any other method of default consent. Explicit consent requires a very clear and specific statement of consent

Regarding GDPR and web design, the new regulations make the people in charge of website planning or data input responsible too, rather than just the website owner or web hosting company, which therefore covers a much larger array of people.

What Are The Key Changes?

If you’re keen to establish what you need to do in preparation for GDPR, please find below a summary of the key changes. There are also some helpful resources at the end of this article.

The video below is particularly helpful too. Stewart Room, Global Head of Data Protection at PwC Legal, discusses the new General Data Protection Regulation and its impacts for entities and citizens:

GDPR Changes Summary

Jurisdiction – Increased Territorial Scope:
Arguably the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.

GPDR makes its applicability very clear – it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not.

Consents:
The conditions for consent have been strengthened, and companies will no longer be able to use long and complicated terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent.

Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.​

Data Rights:

Breach Notification: it will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach

Right To Access: the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose

Right To Be Forgotten: Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data

Data Portability: the right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly used and machine readable format‘ and have the right to transmit that data to another controller

Privacy By Design: the inclusion of data protection from the onset of the designing of systems, rather than being an addition, and for data controllers to hold and process only the data that’s absolutely necessary for the completion of its duties

Data Protection Officers (DPO): internal record keeping requirements and DPO appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences

The Price To Pay For Non-Compliance?

Ensure that you’re compliant with GDPR

In the UK firms that suffer a serious data breach could be fined up to £17m or 4% of global turnover (ouch!).

The current maximum fine firms can suffer for breaking data protection laws is £500,000.

The UK’s Information Commissioner will have its powers strengthened and extended to help it police the new regime.

Compliance should involve a holistic review of risk — looking at the classic trio of people, processes and technology. It will also need to be an ongoing effort and not just a one-off review.

The new GDPR and the Digital Single Market Directive essentially mandate that security is built-in, not bolted-on as an afterthought, and that data is protected by design and by default.

In a nutshell, security is not just about complying with the rules, it’s about protecting your customers, protecting your reputation, and protecting your future.

Practical Steps For Website GDPR Compliance

As far as your website is concerned, the following should be addressed/implemented to comply with GDPR:

Updated Privacy & Cookie Policy to include GDPR compliant clauses stating what data your website (& your business via all channels of communication) collects, what you use it for, how you store/protect it, how you process it and who you share it with

Obtain clear consent to use cookies

Ensure your website’s software is GDPR compliant (WordPress, your website’s theme and all plugins). It’s your responsibility to ensure that every plugin can export/provide/delete the user data it collects.